Slashdot Mirror

← Back to Stories (view on slashdot.org)

How to Measure Security ROI?

Posted by Cliff on from the difficult-metrics dept.

UM_Maverick asks: "Does anybody out there have any experience measuring Return on Investment for security-related expenditures? For example, if management says that there's $1 million left in the budget, and you can either implement a new customer tracking system that is projected to save $300k per year, or implement a new security technology or process, how do you measure the return on the security spend, and convince them that it's at least worth considering? Googling for 'Measuring Security ROI' seems to just produce a list of articles that say 'Measuring security ROI is difficult.' Does anybody have some more direct experience or information?"

7 of 64 comments (clear)

  1. Risk math by theonetruekeebler · · Score: 4, Informative
    Here's a gross oversimplification:

    The cost of a security breach is measured as the probability of an incident multiplied by the cost of the incident. Both numbers can be calculated surprisingly well, or at least made to sound plausible. Security software will reduce the probability of an incident. Calculate the difference. If it exceeds the cost implementing security, it's a good thing.

    This is a basic formula used for all types of data security, including backup and disaster planning.

    --
    This is not my sandwich.
    1. Re:Risk math by KerberosKing · · Score: 2, Informative

      There is a decent book on this from the Cisco Press: The Business Case for Network Security: Advocacy, Governance, and ROI by Catherine Paquet and Warren Saxe. Not only does it help put this in terms the execs and bean counters can understand, but the appendix shows you the equations to compute ROI for preventing security breaches. If you've never taken a business administration or accounting class and feel lost when the PHB asks for this stuff in a power-point deck, this book can help.

  2. Simple by Stormcrow309 · · Score: 1, Informative

    (([Total Cost of Intrustion] * [Percentage Chance of Intrustion]) / [Costs of Security Measures]) - 1 = [ROI]

    (($5,000,000 * .10) / $100,000) - 1 = 4

    --

    In God we trust, all others require data.

    1. Re:Simple by SatanicPuppy · · Score: 2, Informative

      Informative? Informative would be explaining how he came up with accurate numbers for [Total Cost of Intrusion] and [Percentage Chance of Intrusion].

      That's where the problem is in this whole issue. How much will it cost if we get owned, and how likely is it that we will get owned? If you can calculate those two data points accurately, then yes, it's easy as pie to figure out your ROI, but the problem is that figuring out the former, requires the services of a mind reader, and the latter requires the knowledge of all the weaknesses in your security and all the skills and motivations of those who want to break your security.

      Sure, it's fine and dandy to pull some numbers out of your ass and plug them into an equation, but when you get taken and the cost is higher or lower than your predicted cost, then you had better hope no one holds you accountable.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  3. Security is a Vague Term by 99BottlesOfBeerInMyF · · Score: 3, Informative

    Spending money on "security" can mean a whole lot of different things. What type of security? What are you trying to prevent? I work at a company that produces certain security products, some of which have other applications as well. When you hand the CEO a nice graph of the DDoS attack that you got your ISP to filter for you when you subscribed to their service, show how many hours of downtime it prevented, and how much money went through the online store during that time, proving ROI is fairly easy. Other kinds of security are fuzzier. Stopping worms within your network saved IT X hours of rebuilding PCs and prevented those machines from being down this many hours times the average worker's hourly rate would have been unable to work during that time etc. and you can provide some estimates.

    Before you get to that stage, however, you need to have specific security measures in mind designed to address specific security threats to your business. Some of these measures are easy to justify (need certification to do business with government agency Foo) and some are hard (better passwords make it harder for insiders to steal our customer database and sell it to Russian hackers who then use it causing a publicity problem and resulting lost customers).

  4. Security ROI by Atrivis42 · · Score: 2, Informative

    Security should be something that is considered from the beginning of design. Having said that, I know from experience that it isn't and that management tends to want to plug the hole after the boat sinks. That is, once something bad happens, you get all the money you want and all you have to say is "security". In order to get management to fund security efforts on their data networks, you have to have a good idea of what could happen to your network/data. The first step is to identify all the vulnerabilities to your systems. These include not only hackers and insiders, but also natural threats like earthquakes and hurricanes (these are mainly useful for disaster recovery solutions). Take those threats and multiply by the probability of that event happening. Probability of a hacker exploiting a known software vulnerability....pretty good. Hurricane in Kansas...probably not. Once you have these probabilities identified, then you have to measure the potential damage to the company. Will you lose all your data (destroyed, not stolen)? Will someone post/sell private data (company data or personal customer data) that was stolen. Were your servers totally destroyed and you have to buy new ones? Some of these have hard $$ costs to them. Others don't (think embarrassment and tarnished record). It's usually good to convey the "worst case" and the probability of that happening. If you make your case and still don't get the requisite funding...keep your vulnerability list and everything handy. Then if something does happen, you can point and say "told ya!" Atrivis

  5. Methodologies for security risk analysis, etc. by psykocrime · · Score: 2, Informative

    There are specific methodologies for modeling risks / threats and estimating their impact, that are used for justifying
    Information Security budgeting.

    Principles of Information Security is one book that I'm familiar with that has quite a bit of coverage of this topic. We used this for my course in Information Security a couple of years ago, and I found it pretty useful, FWIW.

    Additionally, check this OWASP Page for some good stuff.

    And finally, try googling for terms like Security Risk Analysis, Security Risk Assessment, and / or Security Threat Modeling.

    --
    // TODO: Insert Cool Sig